Auditing Data Loss Prevention (DLP) Programs

AuditingData Loss Prevention (DLP)Programs

September 2014

www.pwc.com

PwCAuditing Data Loss Prevention (DLP) Programs

1. What is Data Loss Prevention (DLP)?2. Auditing a DLP Program3. Key Audit Findings

Agenda

September 2014Slide 2

PwC

What is Data Loss Prevention (DLP)?Data Loss Prevention (DLP) is a capability consisting of people,process, and technology solutions which enable companies tobetter manage sensitive data within their environment.

Data-centric controls, focusing on how data is used across thebusiness and end user processes, reduce risk by providing anenhanced understanding of the clients sensitive data landscapeand tools to manage that landscape.

Sensitive data loss can be mitigated by using DLP tools designedto detect data at rest, data in motion, and data in use.

Data LossPrevention ismore than just atechnology; DLPconsists ofprocesses andcontrols designedto minimizedsensitive dataloss.

Auditing Data Loss Prevention (DLP) ProgramsSlide 3

September 2014

PwC

DLP applied throughout the Data Lifecycle

3. UseData used at the endpoints Files saved to the local hard

drive on devices (e.g., laptops,desktops, or mobile devices)

Files copied to removable media Copy/paste, hard-copy printing,

screenshots Email, web and application

communications to tablet ormobile devices

6. Destroy Physical data destruction Secure wipe of data

1. Create

2. Store

3. Use

4. Share

5. Archive

6. Destroy

1. CreateData is created by people,processes, and technologies

2. StoreData residing in data repositoriesand files throughout thecorporate environment File servers Databases Mail files Document Management Systems

4. ShareData traversing the corporatenetwork Email and personal webmail Social media Manual or automated file transfers Network monitoring Network filtering

5. Archive Data management Periodic backups

Slide 4Auditing Data Loss Prevention (DLP) Programs September 2014

PwC

DLP applied throughout the Data Lifecycle

1. Create

2. Store

3. Use

4. Share

5. Archive

6. Destroy

Asset Classification helpsto preemptively identify new

sources of sensitive data


PwC

High-Level DLP Architecture


Network SwitchWeb Proxy

MTA

Firewall

NetworkPrevent for Web

NetworkPrevent for Email

Network Monitor

Enforce (Management)Oracle Database

File Systems/Databases Endpoints

EndpointPrevent

NetworkDiscover

PwC

Auditing DLP


Category Description Security Operations

ConfidentialityPreventing unauthorized people fromaccessing information while ensuringauthorized people can access information P

Integrity Maintaining and assuring the accuracyand consistency of data over its life-cycle PAvailability Responding to outages and other eventsto maximize uptime and access to data POperational Processes& Procedures

Defining and deploying processesnecessary to maintain the environmentin an operational state P

Governance & StaffingProviding an authoritative and effectivereporting structure and ensuringadequate resources to staff the program P

Architecture/Implementation

Designing and implementing the solutionin a secure way which allows formeasurable objectives to be completed P

PwC

Auditing DLP Confidentiality

Slide 8

Network DLP systems which contain sensitive data are segmented from the rest of the corporate

network. Perimeter firewalls are configured to only allow necessary and secure protocols.

System DLP systems are approrpiately locked down; they only contain applications and services

which have been approved/are in line with corporate security standards. DLP systems have preventative & detective security measure in-place, such as anti-virus

software, to prevent compromise of the system.

Application The DLP application is regularly updated to contain the latest security patches and

functionality. The application is configured with supported security controls enabled, such as HTTPS,

limited access to the administrative panel, etc.

Roles Distinct roles are configured and deployed which enforce least privelege and separation

of duties principles. The Administrator account is disabled; users which require administrator access are

given specific prileges to enable accurate auditing of user actions.

The implementation and operation of a DLP Program shouldnot introduce additional risk into the environment. The DLPtool contains sensitive data and must be securedappropriately.

Auditing Data Loss Prevention (DLP) Programs September 2014

PwC

Auditing DLP Integrity

DLP backend environments typically are designed to prevent unauthorized data changesby end users via the use of default attributes and custom attributes.

Default attributes consist of detailed information collected from the event itself (e.g.data matching a policy, user information such as AD ID and/or IP address).

Custom attributes are additional details captured for an identified event (e.g.attributes which can be pulled from Active Directory or HRIS); the DLP solution relies onsuch systems to be complete and accurate as this is the information put into events.

DLP data integrity issues primarily concern reporting. When auditing the integrity ofreports, important questions include:

Where is this report pulling incident details (e.g. from the DLP database, from data warehouse, etc.) ?

Is this report pulling in events from all vectors (in motion, in use, at rest)?

Is the report pulling in all events? How were the filters/sorts configured?

i.e. total incident counts for the period by vector, total incident counts for the period by policy,compare incident counts by vector, policy and severity against the reports in question

Who has access to create, modify, and view these reports?

What controls are in place to prevent events from being archived or purged from the database (role-based access)?

Auditing Data Loss Prevention (DLP) ProgramsSlide 9

September 2014

PwC

Auditing DLP Availability

Slide 10

Lack of availability can include a loss of functionality for boththe DLP solution itself and the systems it integrates it duespecifically to the implementation and operation of a DLPsolution. When a DLP solution is offline, the risk associatedwith data loss is exposed.

Impact

In the event of a catastrophic failure, the DLP databaseand server can be restored to an operational state withinan acceptable timeframe.

Control

The DLP database and servers are regularly backed upand stored in a safe location.

If a data in motion DLP server is taken offline, thefailover component can continue to operate. If thefailover component fails as well, the mail traffic and/orweb traffic will continue to operate.

In-line data in motion servers have failover components;in the event of a catastrophic failure, data in motionservers are designed to fail open.

Change management processes ensure that any necessarychanges can be quickly backed out in the event of anissue. This allows both DLP systems and associatedInternet traffic to continue to operate.

A change management process is in place toappropriately manage changes to the DLP solutionand/or integrated systems.

In the event of an issue which requires troubleshooting,resources can reliably execute troubleshooting processesto minimize service interruption.

Troubleshooting activities are well supported withsufficient staff and clearly defined processes/escalationpaths.


PwC

Auditing DLP Operational Processes

Slide 11

An effective DLP Program should haveoperational processes defined/activelyexecuted to ensure the return oninvestment.

Processes should aim to achieve thefollowing goals:

Measurable risk reduction

Efficient & effective Events processing

Maximum uptime

Minimum business impact

Event Processing & Escalation

Event Owner Identification &Remediation

Solution Maintenance

Governance & ManagementReporting

Detection Policy Management &Optimization

Issue Resolution


PwC

Auditing DLP Governance & Staffing


A governance structure complete withadequate staffing is necessary for a DLPProgram to function, both in terms ofreturn on investment and measurable riskreduction.

DLP is more than just a technology tool itis a program that must be regularlyoperated in order to derive the expectedvalue which justified the investment.

Is a Data Governance Committee in place tomake key decisions related to identifiedsecurity incidents?

Are metrics routinely presented to a DataGovernance Committee to present results andaddress potential issues?

Are there designated resources for bothtechnical operation of the DLP solution as wellas investigation, risk identification, andremediation activities?

Is there a designated Data Protection Managerresponsible for the key outputs and continuedoperations of the DLP solution?

Are third parties used to operate the solution?If so, are background checks required for thirdparties accessing sensitive data?

Have third party risk assessments beenperformed for DLP vendors?

Are third parties meeting their contractualobligations?

PwC

Auditing DLP Architecture/Implementation


The DLP Programsimpact should bemeasurable

The effectiveness ofthe DLP Program,including quantifiablerisk reduction shouldbe regularlycommunicated to theData GovernanceCommittee.

Common metrics tomeasure effectivenessand risk reductioninclude:

Impact Number of incidents remediated Rate of reoccurring incidents per data owner Number of systems which contain sensitive data Amount of unencrypted sensitive network traffic

Scope & Architecture Number & type of systems in scope DLP vectors (at rest, in motion, in use) deployed How are third parties accessing the environment? Effectiveness of architecture deployment Number of high priority use cases in production % of company assets covered

Efficiency Number of false positives detected Number of false positives reviewed Number of data owners identified

Effectiveness Number of DLP systems operational Average downtime Number of business processes analyzed Number of true incidents generated

Return onInvestment

(ROI)

PwC

Auditing DLP Typical Key Findings Observed


The DLP environment is not segmented from the corporate network. The DLP systems are running insecure services.Confidentiality

Permissions do not prevent unauthorized users from generating reports. Report data only includes a subset of total events.Integrity

There is no change management process/DLP does not follow the changemanagement process.

The DLP database/servers are not regularly backed up.Availability

Operational processes are not clearly defined/documented. Processes for the sustainable identification and remediation of DLP Events are

not deployed.

OperationalProcesses

The DLP Program does not report to a Data Governance Committee. The DLP Program is not adequately staffed.

Governance &Staffing

Metrics are not being routinely generated and presented to the DataGovernance Committee.

DLP Events are not processed in a timely manner.

Architecture &Implementation

PwC Slide 15

2014 PricewaterhouseCoopers LLP (US). All rights reserved. PricewaterhouseCoopers refers to PricewaterhouseCoopers LLP, a Delawarelimited liability partnership, or, as the context requires, the PricewaterhouseCoopers global network or other member firms of the network,each of which is a separate and independent legal entity.


Documents

Auditing Data Loss Prevention (DLP) Programs